Many of our AWS customers are storing their critical files on S3, and for various security and compliance reasons, those files need to be monitored to see if any are being accessed, altered, or deleted.

To help ensure the integrity of the files in S3 buckets, Threat Stack now supports alerting on access and changes to files in specific buckets. AWS now has capabilities for putting object level access into CloudTrail events, and we have added rules to our base rule set to support that feature.

Event Names and User Actions

To create rules that monitor on particular actions on files, customers can use the associated CloudTrail name in their Threat Stack rules. The following table lists Event Names that are generated when specific User Actions occur.

User Action

CloudTrail Event Name

Download a file in a bucket

GetObject

Delete a file or upload a new file in a bucket

PutObject

Access the bucket

ListObjects

Access the policy of a bucket

GetObjectAcl

Upload a new policy on a bucket

PutObjectAcl

Access meta data on a bucket

HeadObject

New Threat Stack FIM Features

Alerts

The Threat Stack base rule set has been updated to alert when files in critical buckets are accessed or deleted:

As Vice President of Products & Customer Advocacy, Venkat Pothamsetty is responsible for technology innovation and strategic alignment with customer business requirements. Venkat previously led products for two startups, Tollgrade and Industrial Defender, and was a major part of the successful exits for both companies. As Products Lead, Pothamsetty took several products from prototypes to successful mainstream products and, in many cases, defined market categories. Pothamsetty has also led services, pre-sales, solutions, and architecture teams at Cisco and Accenture.